Arsenal

Returning bigger than ever for 2014, Black Hat is pleased to once again present Arsenal--a Tool/Demo area where independent researchers and the open source community will showcase some awesome weapons. See below for the full list and descriptions of each of these tools.

white paper

presentation

source

The Android Device Testing Framework ("dtf") is a data collection and analysis framework to help individuals answer the question: "Where are the vulnerabilities on this mobile device?" Dtf provides a modular approach and built-in APIs that allows testers to quickly create scripts to interact with their Android devices. The default download of dtf comes with multiple modules that allow testers to obtain information from their Android device, process this information into databases, and then start searching for vulnerabilities (all without requiring root privileges). These modules help you focus on changes made to AOSP components such as applications, frameworks, system services, as well as lower-level components such as binaries, libraries, and device drivers. In addition, you’ll be able to analyze new functionality implemented by the OEMs and other parties to find vulnerabilities.

Presented by

A bag of fresh and juicy 0days is certainly something you would love to get
as a Christmas present, but it would probably be just a dream you had one of those drunken nights.

Hold on! Not all is lost! There is still hope for pwning targets without 0days.

We will walk you through multiple real-life examples of client-side pwnage, from tricking the victim to take the bait, to achieving persistence on the compromised system.

The examples will be highly practical and will demonstrate how you can do proper client-side exploitation effectively, simply by abusing existing functionalities of browsers, extensions, legacy features, etc.

We'll delve into Chrome and Firefox extensions (automating various repetitive actions that you'll likely perform in your engagements), HTML applications, abusing User Interface expectations, (Open)Office macros and more. All the attacks are supposed to work on fully patched target software, with a bit of magic trickery as the secret ingredient.

You might already know some of these exploitation vectors, but you might need a way to automate your attacks and tailor them based on the victim language, browser, and whatnot. Either way, if you like offensive security, this is for you.

Presented by

BReWSki (Burp Rhino Web Scanner) is an extension to the Burp Suite scanning and reporting functionality. BReWSki provides Burp Suite users with a JavaScript interface to write custom scanner insertion points, passive, and active scan definitions for Burp quickly without having to understand the internals of the Burp API. BReWSki comes with useful checks to help identify application vulnerabilities.

Presented by

C-SCAD is an information gathering and penetration testing tool written to assess the security issues present in the Web-X (Internet Explorer-based web interface) client used to interact with the ClearSCADA server. Web-X client is hosted on the embedded web server which is shipped as a part of complete ClearSCADA architecture. Primarily, the Web-X client is restricted to perform any configuration changes but it can reveal potential information about the ClearSCADA server and associated components. Insecure deployments of WEB-X client can reveal potential information about the various functions such as alarm pages, SQL lists, and diagnostic checks including various reports. C-SCAD is authored in Python and is capable of the following:

Presented by

We will present CHIPSEC, an open source framework for platform security assessment. We will briefly describe some publications related to platform security (Secure Boot bypasses, badbios, etc.) and explain related tests in CHIPSEC. Then we will demonstrate how to use CHIPSEC to detect insecure platform configuration and perform forensics of SPI flash images.

Presented by

The stream of malicious software artifacts (malware) discovered daily by computer security professionals is a vital signal for threat intelligence, as malware bears telling clues about who active adversaries are, what their goals are, and how we can stop them. Unfortunately, while security operations centers collect huge volumes of malware daily, this “malware signal” goes underutilized as a source of defensive intelligence, because organizations lack the right tools to make sense of malware at scale.

To contribute to addressing this problem we will be launching Cynomix.org at the opening of Black Hat USA 2014. Cynomix will include three key, novel capabilities that we hope will broadly impact the way malware analysis is performed:

A subsystem for revealing “social network” style relationships between malware samples based on their shared characteristics. This subsystem allows analysts to see a group of malware samples in relation to a population-scale database of millions of malware samples.

A subsystem for revealing malware sample capabilities based on correlations between samples’ extracted technical symbols and a machine-learning model trained on web question-and-answer documents.

A subsystem for automatically generating statistically principled Yara signatures for malware samples and malware sample groups based on Bayesian reasoning at scale. This subsystem will allow users of Cynomix to quickly defend against new malware families before anti-virus companies generate signatures for them.

In our demonstration presentation at Black Hat Arsenal we will introduce Black Hat attendees to Cynomix.org, which will host a freely available version of our system. As part of our demonstration we will give detailed explanations of our platform's visualizations and algorithms while also helping people to sign up to use the system in their own security operations work.

Presented by

Detecting malware is difficult, and analyzing a detected piece of malware's behavior is even more difficult. Techniques for analysis generally fall into one of three camps: static analysis of the malicious binary on disk, dynamic analysis as the binary executes, or a hybrid approach using a snapshot of physical RAM taken as the malware executes. As the result of our DARPA Cyber Fast Track (CFT) funded research, we extend this third approach. We present a novel technique for leveraging information including multiple snapshots of physical RAM for malware detection and analysis. The technique is implemented as DAMM, a tool for differential analysis of malware in memory. DAMM functions by leveraging multiple snapshots of RAM, domain knowledge about known-benign in-memory artifacts, and indicators of malicious activity to present to the user a powerful view of malicious execution in memory.

Presented by

Does your application have dependencies on third party libraries? Do you know if those same libraries have published CVEs? OWASP Dependency-Check can help by providing identification and monitoring of the libraries your application uses, notifying you that vulnerabilities (CVEs) have been published for third party code your application uses. Jeremy will be demonstrating the tool and the various ways enterprises can use the tool to perform continuous monitoring of their applications’ dependent libraries.

Presented by

Dradis is an extensible, cross-platform, open source collaboration framework to manage security assessments. It can import from over 15 popular tools including Nessus, Qualys, and Burp. Started in 2007, the Dradis Framework project has been growing ever since.

This year at Black Hat 2014 we want to liberate a major release: Dradis Framework 3.0 with a ground-up rewrite of all the core basic components, a new, clean, modern web interface, API layer (with client bindings), new plugins, and several enhancements that will make managing your security assessments a breeze.

Presented by

Flowinspect is a tool developed specifically for network monitoring and inspection purposes. It takes network traffic as input and extracts layer 4 flows from it. These flows are then passed through an inspection engine that filters and extracts interesting network sessions. For flows that meet inspection criteria, the output mode dumps match statistics to either stdout or a file or both.

The primary difference between flowinspect and other network inspection tools is that flowinspect inspects network flows instead of individual layer 4 packet contents. As such, if for a flow certain data to be matched upon spans multiple packets, flowinspect would still be able to identify it. Inspection can be done in any of the following inspection modes (selected through appropriate command-line arguments):

regex: PCRE-compatible regular expressions

fuzzy: fuzzy string matching techniques

shellcode: libemu based (x86 compatible) shellcode detection

yara: yara-project based signature detection

There are a few mode-specific options that a user can use to tweak the behavior of the respective inspection engine. For example, regex matches could be made case insensitive, fuzzy string match threshold could be altered, generation of shellcode profile output that lists detected system calls, their arguments, and return values, etc. can be enabled, detected shellcode can be disassembled, and output could be dumped to a file. Once inspection completes, matching flows are passed to the output module that gathers statistics like match size, start of the match offset inside inspection buffer, packet IDs for a match, direction of the match (CTS/STC/ANY), etc. Matched content can also be dumped to a file or pcap generation for matched flows could also be requested.

Apart from these, there are a few other handy options that could prove useful in different network inspection scenarios. For example, inspection could be limited to interesting flows only using Berkeley Packet Filter (BPF) expressions, or via Snort-like offset/depth content modifiers, or via max packet-stream count options. Matches results can be negated, matched TCP flows could be killed, etc.

The current production version includes all the above features. Flowinspect is, however, under active development and new features/bug fixes are being pushed frequently.

Presented by

FSExploitMe is a purposely vulnerable ActiveX Control to teach you about browser exploitation. Along the way you'll learn reverse engineering, vulnerability analysis, and general exploitation on Windows.

Presented by

Heybe is Penetration Testing Automation Kit. It consists of modules that can be used to fully automate pen-tests and make them mode effective. With Heybe you can 0wn all systems in a target company in matter of minutes.

Cilingir: remote password cracker. Cilingir is a tool used to automate password / hash capturing and cracking process. Captured credentials are automatically sent to a remote password cracking server and cracked passwords are automatically stored in a local loot for usage during pen-test.

Levye : brute force tool. Levye is used for automating brute forcing process against common and not so common protocols like openvpn.

Presented by

Ice-Hole is a phishing awareness email program. It is designed to help security analysts/system administrators keep track and test end users. The tool can be used in conjunction with various third party software, like SET, for further leverage. 1.7 has some new features and enhancements like IRC triggers, integrating with a new portal feature, automatic times, dates, and sending reports on a schedule.

Presented by

More than ever, mobile apps are used to manage and store sensitive data by both corporations and individuals. During this Arsenal demonstration, we show how our new tool called 'idb' can be used to efficiently test iOS apps for a range of common flaws.

In order to enable this, idb's graphical user interface greatly simplifies the interaction with an iDevice as it automates a large number of previously tedious and manual tasks. Based on this, we demonstrate how to use idb in order to quickly and easily uncover flaws involving data storage, inter-process communication, network communications, and user input handling as seen in real-world applications. This will illustrate how apps commonly fail to safeguard sensitive data and show how idb can arm security professionals and developers with the means necessary to find these flaws from a black-box perspective.

Presented by

iOS apps are vulnerable to static analysis and attack through binary code patching. Incorporating jailbreak and debugger detection algorithms can be rendered useless with a quick binary patch. Once patched the app can be further exploited, its app data stolen, and even cloned. The iMAS research team, the team that brought Encrypted CoreData (ECD) to Github open source, has your back! At this talk we will introduce open source Encrypted Code Modules (ECM) as a technique to protect sensitive enterprise iOS applications. Using ECM as the base we will demonstrate an iOS app anti-tamper technique that is considerably more resistant to patching. We will walk through this step-by-step process to make your iOS apps more secure and … authentic.

Presented by

With the widespread adoption of DEP, code-reuse techniques such as ROP are essential parts of current exploits. ASLR randomizes the code layout to make ROP harder; unfortunately, ASLR-bypasses abound.

The Immunant compiler delivers improved hardening against ROP attacks. Unlike ASLR, code randomization is done at a fine-granularity while preserving program performance. As a result, universal exploits fail and pointer leaks are no longer enough to bypass code randomization.

On OS X and Linux, the Immunant compiler sits atop the production grade LLVM compiler framework. The Windows version integrates with the Visual Studio compiler suite. We will demonstrate protected versions of Firefox running on Windows, OS X, and Linux.

Presented by

Impacket is a collection of Python classes focused on providing access to network packets. Impacket allows Python developers to craft and decode network packets in simple and consistent manner. It includes support for low-level protocols such as IP, UDP and TCP, as well as higher-level protocols such as NMB, SMB and MSRPC and DCOM. Impacket is highly effective when used in conjunction with a packet capture utility or package such as Pcapy. Packets can be constructed from scratch, as well as parsed from raw data. Furthermore, the object oriented API makes it simple to work with deep protocol hierarchies.

The following features will be demoed:

New RPC and NDR runtime (located at impacket.dcerpc.v5, old one still available):

Support marshaling/unmarshaling for NDR20 and NDR64 (experimental)

Support for RPC_C_AUTHN_NETLOGON (experimental)

The following interface were developed based on its standard definition:

Presented by

Frustrated with the lack of mature tools for iOS security assessment? Wouldn’t you like an integrated toolchain to pull together many of the existing tools, but also integrate new and interesting tools? Perhaps you’d like to use some more advanced iOS hacking/reversing/debugging but don’t have time on the job to learn gdb. Maybe you just want to pick up iOS hacking fast and would like a mature toolchain to help you.

We can help. We’ll be bringing goodies to the table:

A “reverse sandbox” in which iOS apps can be run on jailbroken devices. It provides easily configured monitoring, hooking, disabling/enabling, and logging of Objective-C methods, C functions, and other goodies. We’ll show you how to use this to defeat common anti-jailbreaking checks in a matter of minutes.

Automated tools to help cover the routine aspects of iOS app security:

Insecure functions

Insecure network transmission

Insecure compiler settings

Hands up if you’d rather choke on a pretzel than write a report. Yeah, us too. We’ll be presenting tools that not only do security work, but that provide data that can be easily incorporated into deliverables.

We’ll help you streamline your testing by automating a lot of the grunt work, leaving you free to do what you do best: hack.

We might even drop some mobile device management 0day! (pending serious people in suits telling us it’s ok)

Presented by

JTAGulator is an open source hardware hacking tool that assists in identifying on-chip debug interfaces from test points, vias, or component pads on a circuit board. The tool can save a tremendous amount of time during reverse engineering, particularly for those who don't have the skill and/or equipment required for traditional processes. Released at Black Hat USA 2013, the tool supports detection of JTAG and asynchronous serial/UART interfaces. New features are being added as they're developed to expand the functionality and increase support for other protocols.

Presented by

Maltrieve retrieves malware directly from the location where the bad guys serve it. This allows researchers to acquire fresh samples, verify detection systems, and research infrastructure. Maltrieve includes proxy support, multi-threading, Cuckoo submission, and categorization. The tool is community-developed and available under the terms of the GNU General Public License.

Presented by

Since its adoption as the standard binary file format for *nix systems, a variety of vulnerabilities in ELF parsers have been found and exploited in OS kernels, debuggers, libraries, etc. Most of these flaws have been found manually through code review and binary modification. Nowadays, 15 years later, common programming mistakes are still being implemented in many ELF parsers that are being released these days very often, either as debuggers, reverse engineering tools, AV analyzers, plugins or as malware (yes, malware has parsers too). Here's where ELF file format fuzzing comes into the game to help you to identify these bugs in an automated fashion.

In this presentation, I will show you the security risks involved in the ELF parsing process as well as the materialization of such risks by showing different bugs found during this research. After that, I'll explain how intelligent file format fuzzing can help greatly in the flaw discovery process. Having a good background about the ELF file format and how smart fuzzing could help, I'll continue with a detailed explanation on how I mixed and implemented both concepts in Melkor - an ELF file format fuzzer.

Melkor, written in C, it's an intuitive and easy-to-use ELF file format fuzzer. Its fuzzing rules were designed using three inputs: ELF specification violations, programming patterns seen in ELF parsers, and other misc ideas and considerations. In order to have higher code/branch coverage in the programs to be tested, certain metadata dependencies must be in place; I'll show you how Melkor implements these rules when creating malformed ELF files.

In the end of the presentation, the code of Melkor will be released and I'll show you how to use it with some live demos where some real-world applications will be tested against fuzzed ELF files.

Happy ELF fuzzing !

Presented by

ModSecurity is an open source, cross-platform web application firewall (WAF) module. Known as the "Swiss Army Knife" of WAFs, it enables web application defenders to gain visibility into HTTP(S) traffic and provides a power rules language and API to implement advanced protections. Come checkout the new advancements in ModSecurity and try some hands-on evasion challenges!

Presented by

Morning Catch is a Virtual Machine environment, similar to Metasploitable, to demonstrate and teach about targeted client-side attacks. Morning Catch is a fictitious seafood company with a website, self-contained email infrastructure to receive phishing emails, and two desktop environments. One desktop environment is a vulnerable Linux client-side attack surface. The other desktop environment is a vulnerable Windows client-side attack surface. Yes, you'll get to attack a Windows software target and use Windows payloads against this virtual environment. This Arsenal session will demonstrate some of the things you can do with the Morning Catch environment.

Presented by

Attackers have all the fun. With slick, integrated, real-time, open suites like metasploit, armitage, SET, and lair they quickly seek out targets, share exploits, gain footholds, and usually win.

The time has come for defense to get the same capabilities in an open source platform dedicated to defense and based on modern technology.

To this end the operations security group at Mozilla has developed MozDef: The Mozilla Defense Platform to take on traditional SIEM functionality of event management, alerting and correlation, and expand the real-time capabilities of the defender into automated defense and shared incident response.

Come take a look at what we are building and join in won't you?!

Presented by

NFCulT stands for NFC ultralight Toolkit. It is the ultimate open source Android app that will let you research and exploit vulnerabilities in ultralight implementations.

It is very useful for finding bugs in transport system all over the world where Mifare Ultralight is very common.
It will allow the user the possibility to see, change, and edit every single bit of a ticket to gain an in-depth understanding on how their own utralight implementation works.

It has been used to find the three major vulnerabilities in ultralight implementations for transport systems in the past year.

Presented by

Last year, we delivered the definitive guide for pen-testers on hacking low frequency (LF - 125KHz) RFID badge systems to gain unauthorized access to buildings and other secure areas. In this second installment, we’re raising the stakes, peeling back the onion even further, and directly confronting the RFID elephant in the room – hacking High Frequency (HF - 13.56 MHz) and Ultra-High Frequency (UHF – 840-960 MHz).

This presentation will serve as a practical guide for penetration testers to understand the attack tools and techniques available to them for stealing and using RFID tag information, specifically for HF and UHF systems. We will showcase the best-of-breed in hardware/software that you’ll need to build out your own RFID penetration toolkit. We’ll also be releasing a slew of new/free RFID hacking tools that employ Arduino microcontrollers, Raspberry Pis, phone/tablet apps, and even 3D printing.

The applications for HF and UHF technologies extend far beyond the realm of simple physical access control, and can also be found in modern credit cards, e-Passports, enhanced driver’s licenses, ski passes, NFC reward cards, public transit passes, and are even used as the foundation of Disney’s new MyMagic+ initiative. Unfortunately, the security and privacy concerns introduced by HF and UHF RFID systems are just as diverse and plentiful.

Some of the topics we will explore are:

Overview of best HF/UHF RFID hacking techniques and tools available to get for your toolkit

Tools to exploit known weaknesses of various HF RFID access control technologies, such as iClass, MIFARE/DESFire, and LEGIC product family variants

Presented by

The PCI toolkit is based on a decision tree assessment methodology, which helps you identify if your web applications are part of the PCI-DSS scope and how to apply the PCI-DSS requirements. By decomposing, one by one, you will be able to create an assessment and a final report of your scope delimitation and which OWASP guidelines must be used

Presented by

PowerSploit is a popular collection of Microsoft PowerShell modules that can be used to aid reverse engineers, forensic analysts, and penetration testers during all phases of an assessment. Come see how PowerShell can be leveraged to accomplish things that would otherwise be impossible such as, loading binaries directly into memory. Joseph Bialek and Chris Campbell will demonstrate how to utilize PowerSploit to bypass security products through all phases of a mock penetration test which includes enumeration, exploitation, privilege-escalation, credential theft, and pivoting to other hosts. They will share tips and tricks to leverage PowerShell in your own tools and highlight the new privilege escalation module being introduced at ToolsWatch.

Presented by

Praeda - Latin for "plunder, spoils of war, booty". Praeda is an automated data/information harvesting tool designed to gather critical information from various embedded devices.

Praeda leverages various implementation weaknesses and vulnerabilities found on multifunction printers (MFP) and extracts Active directory credentials from MFP configurations such as SMTP, LDAP, POP3 and SMB settings.

Praeda also test for default passwords on targeted devices and gathers SNMP community strings from network cameras, sans, UPSs and other embedded devices on the network.

During demonstration we will introduce everyone to the features and functions of this tool and how to effectively leverage it during internal penetrations testing to gather credentials that can be used to gain access to critical internal system.

Presented by

ProxyMe is a modular HTTP/S proxy based on plugins. It's designed and oriented for pen-testing or research purposes. It also has support for analyzing and modifying the traffic, SSL included. It can be used as a regular proxy or as a reverse proxy, supporting also transparent connections, making it perfect for combined attacks of Man In The Middle (or even as a load balancer if you want!).

Some of the current plugins allow you to perform attacks as 'Cache poison', an attack technique for browsers showed in owning "bad" guys {and mafia} with Javascript botnets' in Black Hat USA 2012 by Chema Alonso and Manuel Fernández.

ProxyMe could also be used for the purposes of:

Analyzing and modifying HTTP/S protocol

Creation of malware or backdoors embebed into HTTP/S protocol

Web Application Firewall (WAF)

... whatever you can create with plugins using your imagination

And of course, it's freeware and open source.

Presented by

In 2008 we released reDuh (http://research.sensepost.com/tools/web/reduh), a network tunnelling tool that allowed port forwarding via a web-shell and HTTP/S to backend services. reDuh has since become part of any attackers standard toolkit, featuring in several books and notoriously described as "insidious" by HBGary in their leaked e-mails.

However, when doing any sort of tunnelling, targeting multiple hosts and ports can be frustrating as it requires a tunnel to be setup for each unique host:port combination. Enter reGeorg; this is a rewrite of reDuh to support a full SOCKS4/5 proxy interface. This allows one tunnel to be used to make multiple connections, including port scans. Additionally, capabilities to take advantage of HTML5 websockets (where available) have been built for faster connections.

In short, if you can get a webshell up, you can use reGorg to gain access with your favourite tool (Nmap, Metasploit, etc.) to the entire internal network range your compromised server has access to.

Presented by

Take control over your neighbors' TVs like you see in the movies! Google Chromecast is a handy little gadget that lets you stream video to your TV from a variety of sources like Netflix and YouTube. It also allows streaming from nearby hackers.

I'll demonstrate how to hijack any Google Chromecast -- even if it's behind a secure Wi-Fi network -- to do your bidding. I’ll also be revealing a new tool to fully automate the hijacking and playing of arbitrary video to the victim's TV. Let the prank war commence.

Presented by

Tripwire SecureScan™ is a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability among many others. Fast, free, and simple to use - no license required.

Presented by

Serpico is a report generation and collaboration tool. Serpico’s primary function is to cut down on the amount of time it takes to write a penetration testing report. When building a report the user adds "findings" from the template database to the report. When there are enough findings, the user clicks 'Generate Report' to create the docx of the report. New Report templates can be added through the UI making the reports easy to customize. The Report Templates themselves use a custom Markup Language that includes common variables (i.e. finding name, customer name, customer address, etc.) along with more complex requirements. It is meant to be simple and intuitive.

Serpico is already in use by a number of consultants, but we think it is time to get the word out. Serpico was built by penetration testers with a pen-testers methodology in mind. It might make you hate report writing just a little bit less.

Presented by

ShinoBOT is a RAT (backdoor malware) simulator, released at the previous Black Hat Arsenal. The new tool, ShinoBOT Suite, is a total malware package which contains the RAT simulator, downloader, dropper, encryptor, CandC server, decoy files, etc. All of them are customizable.

You can create your own malware by ShinoBOT suite and it can be used to simulate the recent targeted attack. The new ShinoBOT works also on the standalone / offline environment.

Presented by

As security professionals, almost every action we take comes down to making a risk-based decision. Web application vulnerabilities, malware infections, physical vulnerabilities, and much more all boils down to some combination of the likelihood of an event happening and the impact of that event. Risk management is a relatively simple concept to grasp, but the place where many practitioners fall down is in the tool set. The lucky security professionals work for companies who can afford expensive GRC tools to aide in managing risk. The unlucky majority out there usually end up spending countless hours managing risk via spreadsheets. It's cumbersome, time consuming, and just plain sucks. After starting a Risk Management program from scratch at a $1B/yr company, I ran into these same barriers and where budget wouldn't let me go down the GRC route, I finally decided to do something about it. After officially debuting at Black Hat 2013, SimpleRisk, a simple and free tool to perform risk management activities, is back with many significant improvements. Based entirely on open source technologies and sporting a Mozilla Public License 2.0, a SimpleRisk instance can be stood up in minutes and instantly provides the security professional with the ability to submit risks, plan mitigations, facilitate management reviews, prioritize for project planning, and track regular reviews. It is highly configurable and includes dynamic reporting and the ability to tweak risk formulas on the fly. It is under active development with new features being added all the time and can be downloaded at http://www.simplerisk.org. SimpleRisk is truly Enterprise Risk Management simplified.

Presented by

As smartphones enter the workplace, sharing the network and accessing sensitive data, it is crucial to be able to assess the security posture of these devices in much the same way we perform penetration tests on workstations and servers. However, smartphones have unique attack vectors that are not currently covered by available industry tools. The smartphone penetration testing framework, the result of a DARPA Cyber Fast Track project, aims to provide an open source toolkit that addresses the many facets of assessing the security posture of these devices. We will look at the functionality of the framework including information gathering, exploitation, social engineering, and post exploitation through both a traditional IP network and through the mobile modem, showing how this framework can be leveraged by security teams and penetration testers to gain an understanding of the security posture of the smartphones in an organization. SPF can be used as a pivot to gain access to an internal network, gaining access to additional vulnerabilities. SPF can be used to bypass filtering, using SMS to control an exploited internal system. Demonstrations of SPF functionality will be shown.

Presented by

Snoopy is a distributed tracking, data interception, and profiling framework. The software can run on small, cost-effective hardware (BeagleBone, RaspberryPi) and be deployed over a large area (we call these 'drones'). Each Snoopy drone passively or actively collects information on people who walk past from the array of wireless (Wi-Fi, Bluetooth, etc.) devices that they carry on their person. This information is synchronized to a central server where we can visually explore it with tools like Maltego.

Presented by

Spotlight Inspector is a free application for computer forensic investigation of Mac OS X computers. Until now, there has never been an effective cross-platform forensics tool for accessing Spotlight internal data from Mac OS X systems – which is where all of the information about files indexed on a computer can be accessed by forensic investigators. This information gathering is crucial to digital investigators.

Spotlight is the name of Apple OS X’s desktop search functionality. It indexes all the files on a volume storing metadata about file system object (e.g. file, directory) in an effort to provide fast and extensive file searching capabilities.

The metadata stored includes familiar file system metadata, as in MAC times as well as file-internal metadata like image dimensions and color model and file usage count. Spotlight allows users to search for documents with the Author tag "Snowden," for example. These databases are created by OS X on each volume the machine can access, including flash drives.

Spotlight Inspector parses Spotlight metadata databases and provides functionality to work with the internal data in a clean and useful way.

Presented by

Research in taint tracking and taint inference is hot in the scientific community. We have studied all tools and ideas developed for automated SQL injection prevention using scientific methods, and in an attempt to evaluate them, broken them all down.

This tool summarizes methods to detect and break all these methods, such as Diglossia (2013), Prof. Sekar's Negative Taint Inference (2011) and etc. On top of that, we have created Joza (2014), a new hybrid system that automatically detects and prevents all SQL injection attack with zero false positives. This research and tool is patented, and will be published shortly.

Finally, Taintless will demonstrate how to break Joza; though, the process is rigorous and requires multiple layers of intelligence in the tool, it proves that all these approaches are not bullet proof and need improvement.

Presented by

TriForce is a set of analysis tools made for those who want to go deeper. With a focus on file system journaling forensics, we make use of artifacts that allow us to turn them into a forensic time machine. With tools that cover NTFS, HFS+, and Ext3, we are pushing forward a new era of analysis based on file system journaling.

The NTFS file system is our first production tool to leave beta and allows an examiner to review the master file table, metadata journal, and change the journal to determine the following:

Timestamp changes, detection and original time

Names of files being wiped, detection, and original names and metadata

Files being exfiltrated via CD Burning

Attachments being accessed from Outlook

Low-level file system changes and activity for dynamic analysis of exploits and malware

Determining if alternative file system drivers have written to a disk

Determining what was accessed from external devices

Our research continues, but we believe we can show you data that existed on your disks that you never knew to look for, which will provide you new capabilities in your work and research.

Presented by

The Veil-Framework is an open source project that aims to bridge the gap between pen-testing and red team toolsets. It began with Veil-Evasion, a tool to generate AV-evading payload executables, expanded into payload delivery with the release of Veil-Catapult, and branched into Powershell functionality with the release of Veil-PowerView for domain situational awareness. This Arsenal presentation will cover the inner workings of all of these tools, and demonstrate various use cases where the Veil-Framework can help facilitate engagements.

I will also demonstrate a newly developed post-exploitation framework, Veil-Pillage, which is being released publicly during an associated DEF CON presentation. Veil-Pillage’s modular structure makes it easy to implement the wealth of existing post-exploitation techniques out there, publicly or privately developed. The framework utilizes a number of triggering mechanisms with a preference toward stealth, contains complete command line flags for third-party integration, and has comprehensive logging and cleanup script capabilities.

Presented by

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples of Windows, Linux, Mac OS X, and Android systems. Our last release received over 40,000 downloads and we're equally as excited to get 2.4 into the hands of forensic investigators and malware analysts. Some of the key features of the 2.4 release that we'll be demoing are:

Presented by

VOYEUR's main purpose is to generate a fast (and pretty) Active Directory report. The tool is developed entirely in PowerShell (a powerful scripting language) without dependencies (just .Net Framework 3.5 and Ofiice Excel if you want an useful and pretty report). The generated report is a perfect starting point for well-established forensic, incident response team, or security researchers who want to quickly analyze threats in Active Directory Services.

The main capabilities of VOYEUR tool are:

Fast.- Retrieving only the main interested attributes and perform intelligent uses of them.

Presented by

w3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities.

Our framework is proudly developed using Python to be easy to use and extend, and licensed under GPLv2.0.

Presented by

With the PRISM scandal, we began to question whether Microsoft, Google, Apple, and Facebook were the only companies working with governments to spy on the behavior of its citizens. Will WhatsApp be one of these companies? Does WhatsApp store its user conversations? These sort of things make us think that users are defenseless and have no current measures to ensure the privacy of content shared on these platforms.

The main objective of the research is to add new layers of security and privacy to ensure that in the exchange of information between members of a conversation both the integrity and confidentiality cannot be affected by an external attacker. This is achieved through a system to anonymize and encrypt conversations and data sent via WhatsApp, so that when they reach the servers they are not in "plain text" and only readable to the rightful owners.

WhatsApp Privacy Guard is a tool completely transparent to the users and we will show how this technique can be used against other IM protocols and apps.

Presented by

ZigTools is a Python framework, which was developed to reduce the complexity in writing additional functionality in communicating with the Freakduino (Low cost arduino based 802.15.4 platform). Features such as initializing the radio, changing channels, sending data and processing that data can be written in just a few lines, allowing developers to focus on writing more complex applications without worrying about the low-level communications between the radio and computer.

Presented by

A world without malware is ideal but unlikely. Many of us would prefer *not* to install another layer of protection on our already-resource-constrained handheld mobile device. Alternatively, Android malware detection sans anti-virus installation has become a reality. Learn about how it’s possible to detect mobile malware using simple text messages with ZitMo NoM. ZeuS in the Mobile, known as ZitMo, is infamous for intercepting SMS transmissions then redirecting them to a Command and Control in order steal banking and personal information. Research with SMS transmissions directed at mobile malware has resulted in the ability to detect ZitMo’s presence without anti-virus applications installed. Turning cyber criminals' tools against them makes this even more of a rewarding endeavor. We are looking for malware researchers to contribute to the continued development of this open tool. The presentation will include the research, the infrastructure, and a demonstration of ZitMo NoM. Live malware will be used during this presentation, assuming we get it to behave.